A place to share my thoughts, ideas, and experience in matters I deal with as part of my daily work.

Monday, November 15, 2010

RIA Security – From Blazing Livestock to Solid Platform

The web is still buzzing over Firesheep and the easiness of hacking that it demonstrates.

Firesheep serves as a good wake-up call for many end-users and application developers, reminding us, again, the great vulnerability of web applications.

In a short and concise explanation in his recent blog post, Jeff Atwood shows that except for properly packaged UI, intended for the novice hacker, Firesheep brings no actual technology news, and in fact it just surfaces part of the web vulnerability which hasn’t changed much in the past years.

A web session hijacked by FireSheep

Firesheep is one more example of how browser-based web applications can be easily hacked and intruded by malicious third-parties.
Firesheep is based mainly on packet sniffing done over unsecured wireless connections. But the same principles can be employed also on LANs.

Many organizations that choose to developer their in-house applications as RIA, sometimes overlook the fact that even though the application is not exposed to the outside world, malicious interventions are still a threat.

Organizations who are about to develop their new internet applications must consider the following:

To be (Browser based) or not to be (Browser based) – The browser open and standard nature suggests that web application developers who chose to go “browser based” (which is still the default choice for many) must go into many security considerations and preemptive design to circumvent the browser default vulnerabilities. Though for many “browser” is very much a synonym for “Internet”, more and more developers and IT Managers realize that an internet application does not necessarily need to be confined to a browser. Considering the security vulnerabilities of the browser and many other factors (Desktop UX, Client Side Interaction, etc) an independent RIA client would be a much more secured and suitable solution.

Sir Laurence Olivier as Hamlet

To Code or not to Code – Coding your own infrastructure means that one takes upon oneself a very big load of responsibility and work to cover all security issues. If you want your RIA fully secured, and enable your end-users to log-in your internet application, even over unsecured lines at the airport, you must cover all issues yourself.
On the other hand, a comprehensive RIA platform, dedicated for business applications, which covers all security issues for you and protects your applications from phising, impersonation, script injections, session hijacking and more, allows you to peacefully concentrate on the business requirement of your application, and spend little, if no time at all, in resolving all the security issues yourself.